Stop Trusting Chips and Start Trusting Proofs
Your Data Is Decrypted Somewhere. The Question Is Whether Anyone Saw It.
There’s a question buried inside every conversation about cloud computing and data security that most people skip past: what actually happens to your data at the moment a machine computes on it? Not in transit. Not at rest. At the exact instant the work gets done.
The industry’s best answer to the question of data security — confidential computing — depends on a hardware-based trust model that’s showing structural cracks, as the architecture requires users to trust the hardware stack that has shown to be vulnerable to hacks and isn’t built to be post-quantum secure. These are major problems.
And as a practical matter, the systems being built for the AI-infused world, where autonomous agents collaborate across organizational boundaries, need something different. They need a verified trust layer for collaborative AI agents.
This is the world for which OpenMatter is building, and we thought it was time to lay out exactly where confidential computing hits its limits and how the systems we are building are designed to work past them.
And next week, we’ll show you the solution in action: Quantum Guard. But for now, let’s get familiar with the problem before we detail the solution.
Stop Trusting Chips and Start Trusting Proofs
From Hardware Isolation to Mathematical Proof
No matter how well built, there’s a moment in security architecture when the mask comes off, when the encryption dissolves and your data sits exposed in memory, briefly naked, trusting that no one’s watching. If you’ve spent any time thinking about how computation actually works, that is, what physically happens to your data when a machine touches it, this moment haunts you. It haunted us. It’s the reason we started building OpenMatter.
In traditional cloud infrastructure, that moment of data exposure is everywhere. Confidential computing was supposed to fix this problem, and in many ways it did. But it also introduced a dependency on hardware that becomes harder to defend the further we move into a world of autonomous AI agents, multi-institutional collaboration, and regulators who won’t accept “trust us” as an audit trail. That dependency is what we built masked compute to remove, and post-quantum cryptography was the solution.
How Confidential Computing Actually Works
Confidential computing works through a mechanism called a Trusted Execution Environment, or TEE. A TEE is a hardware-isolated region inside a processor where encrypted data gets decrypted, computed on, and sealed back up. The operating system can’t see in. The cloud provider’s admins can’t see in. Intel SGX, AMD SEV, AWS Nitro Enclaves, NVIDIA’s confidential GPUs — these are all variations on the same principle.
And honestly? For single-tenant workloads on infrastructure you already trust, it’s solid engineering. We’re not here to pretend otherwise.
But here’s the thing that doesn’t get talked about enough. The security guarantee is architectural, not mathematical. You’re trusting Intel’s attestation service. You’re trusting AMD’s silicon design. You’re trusting that no vulnerability exists in the shared physical substrate, the cache hierarchies, branch predictors, and memory buses that the enclave coexists with. Ask yourself: when was the last time a complex shared physical system had zero exploitable side channels?
The answer is never. And the research bears it out. Spectre, Meltdown, Foreshadow, ÆPIC Leak, and SEVered have all demonstrated extraction of data from inside a TEE, exploiting exactly those shared resources the isolation was supposed to wall off. The a16z crypto research team put it directly: assume TEEs will eventually be compromised and design for failure. Or as the researchers at TEE.fail discovered, “the security guarantees of modern TEE offerings by Intel and AMD can be broken cheaply and easily, by building a memory interposition device that allows attackers to physically inspect all memory traffic inside a DDR5 server.” That’s not FUD. That’s engineering realism from people who deeply understand the technology.
Ask yourself: when was the last time a complex shared physical system had zero exploitable side channels? The answer is never.
There's a subtler problem, too, and it's the one that matters most if you're building for regulated industries. A TEE attestation proves that a specific chip ran specific code. That's it. It doesn't let a third party, whether a regulator, an auditor, or a counterparty, independently verify the result without trusting that same hardware chain. The proof of correctness is inseparable from the proof of trust in the silicon. Think about what that means for a bank trying to demonstrate compliance, or a hospital collaborating on patient data across institutions. You're asking them to trust your chip vendor. That's not a configuration issue; it’s a structural one.
A Different Kind of Proof
What if you could remove the hardware from the trust equation entirely? That's the question we couldn't stop asking. And it's why we built masked compute. This isn’t a simple upgrade to make the hardware more secure; it's a fundamentally different philosophy about how to verify the confidentiality of data.
Masked compute replaces hardware isolation with cryptographic verification. Instead of sealing your data inside a chip and hoping the walls hold, you run the computation across untrusted infrastructure and generate a publicly verifiable audit trail, proving that the work was done correctly, that policy was followed, and that no inputs or intermediate values were exposed. The proof is mathematical. It’s verifiable by anyone. It doesn’t care what chip you’re running on.
At OpenMatter, we implement this using Verifiable Multi-Party Computation and post-quantum cryptographic primitives — lattice-based cryptography and hash-based signatures designed to outlast both classical and quantum adversaries. In other words, verification is the output. You don’t need to trust our infrastructure. You check the math.
What does that buy you concretely? Hardware independence: masked compute runs on commodity infrastructure, which matters enormously when providers are running everything from cloud GPUs to bare-metal rigs in a closet. Third-party verifiability without third-party trust: a compliance officer checks a proof, not a vendor attestation. And durability: an audit trail generated today through MPC and post-quantum cryptography should still hold up in a decade, even against quantum adversaries. A TEE attestation generated today? No one can make that promise.
The Mask Stays On
We’d be doing you a disservice if we pretended this was a clean sweep. It isn’t, and we think about the tradeoffs constantly.
Traditional verifiable compute relies on expensive zero-knowledge proofs, which TEEs consistently outperform. But TEEs don’t scale to untrusted or commoditized hardware environments when private compute is a requirement. Privacy technology is still scaling, but masked compute is one of the earliest practical approaches to solving the problem of secret, secure, and collaborative computation.
So why do we believe masked compute is the right bet?
Because the divergence happens when trust gets complicated. When AI agents operate across organizational boundaries and you need to verify what they did, not just what they said they did. When multiple institutions need to compute on shared sensitive data without any of them seeing the other’s inputs. When a regulator asks for proof of compliance and you need to hand them something they can verify independently. Not a hardware attestation from a chip vendor, but a mathematical receipt.
That’s the world arriving now. Not because hardware trust is wrong, but because the systems we’re building have outgrown it.
The mask doesn’t come off. That’s the point.
— The OpenMatter Team
If you know someone who would benefit from reading this article, please share it:
Datavizor, our command layer for masked compute, is in beta. If you’re building AI systems where privacy and compliance aren’t optional, come take a look.
Industry Updates
Enterprise AI Hits the Wall
Author: NTT Data
NTT DATA’s 2026 Global AI Report surveyed 2,500+ organizations and found a striking gap: 95% say private and sovereign AI matter, but only 29% are doing anything concrete about it. The core tension? AI architectures were built to move data freely across clouds and borders, but tightening privacy and sovereignty rules are making that untenable. Jurisdiction is now an architectural constraint, not just a legal one. Roughly 60% of AI leaders cite cross-border data restrictions as a major challenge, and only 38% trust their own cloud security posture. The limits to traditional approaches to data protection are showing.
The 2026 Roadmap to Post-Quantum AI Infrastructure Security
Author: Gopher Security
Gopher Security argues that the convergence of autonomous AI agents and quantum-era threats demands a fundamentally different security posture, one built on cryptographic agility rather than static defenses. Their key insight: you don’t need to see an agent’s full reasoning chain to verify it behaved correctly; you just need the mathematical proof. Gopher Security connects zero-knowledge verification directly to MCP endpoint security and hybrid post-quantum implementations, urging organizations to audit their AI infrastructure now rather than waiting for standards to settle.
OpenMatter is building the verifiable trust layer that enables AI agents to securely collaborate on sensitive data sets. If you’re in a regulated industry and need a better way to prove that your data is secure, contact Chris to learn how masked compute can help.